Configuring DNSSEC for child domains

Mon, 06 May 2013 07:10:52 -0700 

Hi folks,
Setting up DNSSEC for a parent domain is relatively simple. The fiddly bit is probably where you have to figure out what your KSK is so that you can give it to your ISP. They can then create a DS record to verify a DNSKEY record in your domain and so complete the chain of trust. Check it out: 

  http://dnsviz.net/d/dapadam.nl/dnssec/


But what about doing this for your own child domains? My site runs  
Bind 9.8.4 on Debian wheezy. I thought that I would only have to copy  
the dsset-* file from the child domain's host to the host for the  
parent domain. There I added a line to the parent domain's zone file,  
"$INCLUDE dsset-zuid.dapadam.nl." and then signed the parent zone. It  
seemed simple enough, but there are problems, so I guess I'm missing  
something. I've got three examples:


1.)  http://dnssec-debugger.verisignlabs.com/zuid.dapadam.nl


This says "RRSIG=55893 and DNSKEY=55893 does not verify the DS RRset  
(RSA Verification failed) / The DS RRset was not signed by any keys in  
the chain-of-trust" and "DS=0/SHA1 is published, but a corresponding  
DNSKEY is not / None of the 3 DNSKEY records could be validated by any  
of the 2 DS records"


2.)  http://dnsviz.net/d/zuid.dapadam.nl/dnssec/


This shows two DS records in the parent zone, one not secure and one  
bogus, and three DNSKEY records in the child zone, none of which are  
secure.


3.)  http://www.dnssecmonitor.org/


Fill in "zuid.dapadam.nl" and it will also say that things are not  
right ("CHAIN CRITICAL: ... signature crypto failed from 127.0.0.1 for  
DS zuid.dapadam.nl. while building chain of trust").



On the other hand, I've used dig to request the DS and DNSKEY records  
involved:


  ~# dig +dnssec -t DS noord.dapadam.nl
or
  ~# dig +dnssec -t DNSKEY noord.dapadam.nl


The responses to these commands seem okay, but perhaps this is not the  
best way to verify whether or not I have a problem.



So, what's going on here? Do I have a problem? If so, what have I  
possibly done wrong and/or what might I missing?


Thanks,

Jaap
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to